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Abstract 

We  show  that  all  attacks  that  can  be  mounted  by  a  traditional  Dolev- 
Yao  intruder  against  common  cryptographic  protocols  can  be  enacted 
by  an  apparently  weaker  ‘Machiavellian’  adversary  in  which  compro¬ 
mised  principals  will  not  share  long-term  secrets  and  will  not  send 
arbitrary  messages.  We  also  show  that  a  Dolev-Yao  adversary  com¬ 
posed  of  multiple  compromised  principals  is  attack-equivalent  to  an 
adversary  consisting  of  a  single  dishonest  principal  who  is  only  willing 
to  produce  messages  in  valid  protocol  form. 


1  Introduction 

Cryptographic  protocol  analysis  traditionally  assumes  a  worst-case  scenario. 
All  communication  between  honest  principals  passes  through  a  single  adver¬ 
sary.  Further,  the  intruder  can  alter  messages  in  any  way  within  its  compu¬ 
tational  ability  as  well  as  change  their  destination  (including  blocking  them 
entirely).  Worst  of  all,  any  compromised  principal  shares  all  of  his/her  infor¬ 
mation  and  capabilities  with  the  adversary.  For  this  reason,  Anderson  and 
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Needham  have  described  cryptographic  protocol  design  as  “programming 
Satan’s  computer”  [1],  However,  this  model  may  be  overly  pessimistic. 

Proposed  approaches  to  weakening  the  intruder  model  have  been  pri¬ 
marily  topological,  considering  a  distributed  adversary  with  limited  abili¬ 
ties  [5,  6,  7].  A  complementary  possibility  is  to  limit  not  what  the  different 
parts  of  the  adversary  can  do,  but  what  they  are  willing  to  do.  The  intruder 
will  perhaps  have  complete  access  to  signature  keys,  etc.  for  a  principal  that 
has  been  overtaken,  e.g.  on  a  machine  for  which  the  adversary  has  gained 
root  access.  But,  compromised  principals  that  are  not  overtaken,  but  simply 
dishonest,  may  be  unwilling  to  share  signature  keys  and  other  long-term  se¬ 
crets  even  if  they  are  willing  to  participate  in  attacks.  We  call  an  adversary 
composed  of  such  self-interested  collaborators  ‘ Machiavellian ’  in  distinction 
to  the  classic  Dolev-Yao  intruder  [4]  mentioned  above. 

It  might  seem  that  the  adversary  composed  of  Machiavellian  collabora¬ 
tors  would  be  less  able  to  mount  attacks  than  a  (collection  of)  Dolev-Yao 
intruder (s).  This  work  shows  that  this  is  not  the  case  for  common  au¬ 
thentication  protocols  (that  do  not  transmit  long-term  secrets).  Indeed, 
not  only  is  a  Machiavellian  adversary  as  strong  as  a  Dolev-Yao  intruder, 
but  also,  surprisingly,  all  attacks  representable  with  a  full  blown  Dolev-Yao 
adversary  involving  multiple  compromised  principals  can  be  represented  us¬ 
ing  just  a  single  dishonest  principal  operating  alone.  We  call  adversaries 
capable  of  mounting  the  same  attacks  (in  the  weakest  sense  of  the  term) 
attack-equivalent. 

2  Formal  Development 

In  Figure  1,  we  express  a  generalization  of  the  Dolev-Yao  model  to  n  in¬ 
truders  using  the  multiset  rewriting  formalism  presented  in  [2].  The  current 
state  of  execution  of  a  protocol  V  is  represented  as  a  multiset  of  atomic 
formulas,  and  each  rule  prescribes  a  transition  that  replaces  the  elements  on 
the  left-hand  side  with  the  components  in  the  right-hand  side  ( stands 
for  the  empty  multiset).  Objects  of  the  form  N(m)  indicate  that  the  mes¬ 
sage  to  has  been  sent  on  the  public  network  through  which  honest  principals 
communicate,  while  each  DYj,  for  i  =  l..n,  can  be  seen  as  the  private  work¬ 
shop  where  Dolev-Yao  intruder  number  i  illicitly  dismantles  and  assembles 
messages.  The  other  predicates  (here  KeyP  and  n)  hold  publicly  available 
information.  Observe  that  the  two  topmost  rules  enable  the  intruders  to 
share  all  the  information  they  know. 
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Figure  1:  Dolev-Yao  Intruder  Model 


Figure  2  formalizes  the  generalization  to  our  Machiavellian  model  to  re 
intruders  as  a  collection  of  multiset  rewrite  rules  [1].  It  differs  from  the 
specification  of  the  Dolev-Yao  adversary  by  the  imposition  of  a  restriction 
on  the  messages  that  an  intruder  can  send  on  the  network:  they  shall  look 
like  legitimate  messages  of  the  protocol.  We  formalize  this  idea  through  the 
notion  of  the  skeleton  of  a  message  m,  written  sk(m ),  and  defined  as  follows: 

nonce 
stKey 
ItKey 

( sk(mi ),  sfc(m2)) 

{sk{m)}sk{k) 

We  assume  that  protocol  principals  can  distinguish  short-term  secrets  (tag 
stKey)  from  long-term  keys  (tag  ItKey).  Indeed,  in  the  following,  we  shall 
restrict  ourselves  to  protocols  that  do  not  transmit  long-term  keys,  not  even 
encrypted.  We  also  assume  that  principals  know  the  entire  skeleton  of  any 
message  they  receive.  The  implications  of  this  assumption  are  further  dis¬ 
cussed  in  Section  3.  The  skeleton  of  a  protocol  V,  written  sk(V),  is  given 
by  the  set  of  the  skeletons  of  all  the  messages  that  are  either  exchanged 
as  part  of  the  execution  of  V  or  implied  by  it  (e.g.,  the  key  built  during  a 
Diffie-Hellman  exchange). 

Our  result  is  summarized  in  the  following  diagram,  where  DY„  and  Mn 
stand  for  the  model  consisting  of  n  Dolev-Yao  and  Machiavellian  adversaries 
(re  >  0),  respectively.  An  arrow  from  A  to  B  indicates  that  every  message 


sk(n)  = 

sk(k)  = 

<  sk(k')  = 

sk  (mi  ,rre2)  = 

„  sk({m}k)  = 
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N(m)  — >-p  M  i(m)  (Int.) 

M i(m)  — >-p  N(m)  if  sk(m)  £  sk(V)  ( Inj .) 

— >v  (Dec.) 

M,;(m2)  — >v  M,:(mi,m2)  (Cmp.) 

Mi({m}k),Mi(k'),  KeyP(k,k')  — >-p  M i(m),  KeyP(k.k')  (Deer) 

M i({m}k)  (Encr.) 

•  — >-p  3 n.  (Nnc) 

7r (m)  — Mj(m),7r(m)  (Pub.) 

— >-p  (Dup.) 

M i(m)  — >-p  ■  (Del.) 


Figure  2:  Machiavellian  Intruder  Model 

that  intruder  model  A  can  produce,  and  that  may  be  accepted  by  an  honest 
principal,  can  be  constructed  by  adversary  model  B.  Therefore,  a  double 
arrow  between  A  and  B  means  that  they  are  attack-equivalent. 


DYi  - - -  Mi 


s 


The  proof  of  our  result  proceeds  as  follows,  where  the  numbering  refers  to 
the  one-sided  arrows  in  figure. 

1  :  We  reduce  n  Dolev-Yao  adversaries  to  just  one  by  merging  their  knowl¬ 

edge  and  initial  data.  We  achieve  this  by  replacing  each  piece  of  state 
DY7;(m),  for  %  =  l..n,  with  DY(m),  which  will  stand  for  the  knowledge 
of  our  single  target  intruder. 

2  :  We  map  a  single  Dolev-Yao  adversary  to  a  Machiavellian  intruder  by 

observing  that  the  only  messages  that  an  honest  principal  will  accept 
must  have  a  skeleton  that  conforms  to  the  protocol.  Therefore,  the 
only  participant  who  can  make  use  of  an  intruder-generated  message 
with  an  unexpected  skeleton  is  the  intruder  itself.  Clearly  these  trivial 
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transmission/reception  loops  can  be  eliminated.  Notice  that  we  need 
here  the  ability  of  a  principal  to  distinguish  short-term  secrets  from 
long-term  keys  (and  drop  messages  mentioning  the  latter). 

3,8  \  We  simply  take  n  to  be  1. 

4,7  :  Since  the  Machiavellian  adversary  is  a  restriction  of  the  Dolev-Yao 
intruder,  every  message  that  the  former  can  generate  can  be  produced 
by  the  latter. 

5,6  :  By  transitivity. 

We  expect  to  be  able  to  formalize  this  proof  by  representing  it,  for  example, 

in  the  linear  logical  framework  LLF  [3], 


3  Conclusions  and  Future  Work 

The  attack  equivalence  results  in  this  abstract  may  have  implications  as 
far  as  protocol  analysis  is  concerned.  Indeed,  different  analysis  tools  may 
perform  more  efficiently  by  using  one  intruder  model  rather  than  another. 
For  example,  almost  all  proposed  systems,  especially  those  based  on  model 
checking,  already  assume  a  single  intruder. 

Establishing  the  equivalence  of  intruder  models  is  non-trivial  and  can 
lead  to  substantial  benefits  in  specific  tools.  The  technique  presented  here 
is  general,  formally  based  on  multiset  rewriting  concepts  [2],  and  machine- 
checkable  [3].  We  intend  to  use  this  approach  to  explore  other  restrictions 
to  the  abilities  of  the  adversary. 

One  of  the  factors  that  contributes  to  the  simplicity  of  our  proofs  is  the 
assumption  that  principals  can  always  establish  the  skeleton  of  any  message 
they  accept  (and  produce).  This  means  that  a  protocol  participant  knows 
the  type  structure  of  any  received  message,  including  any  encrypted  mes¬ 
sages  for  which  that  principal  lacks  the  decryption  key.  It  is  reasonable  to 
assume  that  principals  can  recognize  encrypted  messages  as  such  (we  ab¬ 
stractly  reduce  signatures  to  private  key  encryptions  and  render  hashes  as 
encryptions  for  which  no  one  has  the  decryption  key).  But,  it  is  unrealistic 
to  assume  that  principals  will  know  the  type  structure  of  the  submessages 
contained  in  such  an  encryption,  unless  s/he  knows  the  key.  It  appears 
that  the  assumption  can  be  removed  if  we  make  the  notions  of  skeleton 
and  attack-equivalence  more  subtle.  Essentially,  attack  equivalence  must  be 
stated  modulo  the  (sub) messages  for  which  principals  do  not  know  the  type 
structure.  This  also  implies  a  relativization  of  skeletons  to  principals  and/or 
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roles.  We  intend  to  set  out  these  subtleties  and  also  to  further  flesh  out  and 
explore  attack-equivalence  in  future  work. 
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